基于采样和加权损失函数的模型窃取攻击方法

Model stealing attack based on sampling and weighting

模型窃取攻击旨在获得一个和目标受害模型功能相似的替代模型.现有的方法主要采用数据生成或数据选择方法和交叉熵损失函数去获得一个较好的攻击效果.据此,本文着重研究了攻击过程中这两个极为重要的模块:数据采样和损失函数.同时,本文提出了一个新颖的模型窃取攻击方法S&W,其包含了一种新的采样策略和一个精心设计的加权损失函数.首先,新的采样策略更加关注于从受害者模型中获得更多信息的重要样本.与此同时,本文通过引入k-Center算法达到选择样本的多样性的目的.其次,受到经典Focal损失函数的启发,本文设计了一种新的加权损失函数.该损失函数主要关注于受害者模型和替代模型对于相同输入所给出的输出之间的差异,从而促使替代模型模拟受害者模型.在4个常用的数据集上,我们通过实验证明了本文提出的方法的有效性.相比于之前最好的方法,本文方法最高有5.03%的性能提升.

A model stealing attack aims to create a substitute model that steals the task completion ability of the target victim model.Popular approaches have used data generation/selection and entropy loss to achieve promising attack performance.In this paper,we explore two overlooked yet effective components of the attack,data sampling and weighting.We propose a novel method named S&W that provides a sampling scheme and a softlabel weighted loss function.First,we propose a data selection strategy that pays more attention to important samples for stealing more information from the victim model.Then,we introduce the k-Center algorithm to guarantee the selected subset's diversity,aiming to make the core-set selection tractable.Second,we propose a weighted entropy loss inspired by the focal loss that mainly focuses on the difference in outputs of the victim and the stealing models,allowing the substitute model to better simulate the victim model.Extensive experiments on four widely used datasets consistently show that our proposed method outperforms state-of-the-art methods,with a maximum improvement of 5.03% over the next best method.